Go add permission check (#528)

fileserver/sync_api.go

@@ -178,7 +178,11 @@ func getBlockMapCB(rsp http.ResponseWriter, r *http.Request) *appError {
 	repoID := vars["repoid"]
 	fileID := vars["id"]
 
-	_, appErr := validateToken(r, repoID, false)
+	user, appErr := validateToken(r, repoID, false)
+	if appErr != nil {
+		return appErr
+	}
+	appErr = checkPermission(repoID, user, "download", false)
 	if appErr != nil {
 		return appErr
 	}
@@ -405,7 +409,11 @@ func postCheckExistCB(rsp http.ResponseWriter, r *http.Request, existType checkE
 	vars := mux.Vars(r)
 	repoID := vars["repoid"]
 
-	_, appErr := validateToken(r, repoID, false)
+	user, appErr := validateToken(r, repoID, false)
+	if appErr != nil {
+		return appErr
+	}
+	appErr = checkPermission(repoID, user, "download", false)
 	if appErr != nil {
 		return appErr
 	}
@@ -458,7 +466,11 @@ func packFSCB(rsp http.ResponseWriter, r *http.Request) *appError {
 	vars := mux.Vars(r)
 	repoID := vars["repoid"]
 
-	_, appErr := validateToken(r, repoID, false)
+	user, appErr := validateToken(r, repoID, false)
+	if appErr != nil {
+		return appErr
+	}
+	appErr = checkPermission(repoID, user, "download", false)
 	if appErr != nil {
 		return appErr
 	}
@@ -628,8 +640,13 @@ func getFsObjIDCB(rsp http.ResponseWriter, r *http.Request) *appError {
 
 	vars := mux.Vars(r)
 	repoID := vars["repoid"]
-	if _, err := validateToken(r, repoID, false); err != nil {
-		return err
+	user, appErr := validateToken(r, repoID, false)
+	if appErr != nil {
+		return appErr
+	}
+	appErr = checkPermission(repoID, user, "download", false)
+	if appErr != nil {
+		return appErr
 	}
 	repo := repomgr.Get(repoID)
 	if repo == nil {
@@ -730,6 +747,11 @@ func getBlockInfo(rsp http.ResponseWriter, r *http.Request) *appError {
 		return appErr
 	}
 
+	appErr = checkPermission(repoID, user, "download", false)
+	if appErr != nil {
+		return appErr
+	}
+
 	storeID, err := getRepoStoreID(repoID)
 	if err != nil {
 		err := fmt.Errorf("Failed to get repo store id by repo id %s: %v", repoID, err)
@@ -854,8 +876,13 @@ func getCommitInfo(rsp http.ResponseWriter, r *http.Request) *appError {
 	vars := mux.Vars(r)
 	repoID := vars["repoid"]
 	commitID := vars["id"]
-	if _, err := validateToken(r, repoID, false); err != nil {
-		return err
+	user, appErr := validateToken(r, repoID, false)
+	if appErr != nil {
+		return appErr
+	}
+	appErr = checkPermission(repoID, user, "download", false)
+	if appErr != nil {
+		return appErr
 	}
 	if exists, _ := commitmgr.Exists(repoID, commitID); !exists {
 		log.Printf("%s:%s is missing", repoID, commitID)
@@ -987,17 +1014,16 @@ func getHeadCommit(rsp http.ResponseWriter, r *http.Request) *appError {
 func checkPermission(repoID, user, op string, skipCache bool) *appError {
 	var info *permInfo
 	if !skipCache {
-		if value, ok := permCache.Load(fmt.Sprintf("%s:%s", repoID, user)); ok {
+		if value, ok := permCache.Load(fmt.Sprintf("%s:%s:%s", repoID, user, op)); ok {
 			info = value.(*permInfo)
 		}
 	}
 	if info != nil {
-		if info.perm == "r" && op == "upload" {
-			return &appError{nil, "", http.StatusForbidden}
-		}
 		return nil
 	}
 
+	permCache.Delete(fmt.Sprintf("%s:%s:%s", repoID, user, op))
+
 	if op == "upload" {
 		status, err := repomgr.GetRepoStatus(repoID)
 		if err != nil {
@@ -1011,18 +1037,16 @@ func checkPermission(repoID, user, op string, skipCache bool) *appError {
 
 	perm := share.CheckPerm(repoID, user)
 	if perm != "" {
-		info = new(permInfo)
-		info.perm = perm
-		info.expireTime = time.Now().Unix() + permExpireTime
-		permCache.Store(fmt.Sprintf("%s:%s", repoID, user), info)
 		if perm == "r" && op == "upload" {
 			return &appError{nil, "", http.StatusForbidden}
 		}
+		info = new(permInfo)
+		info.perm = perm
+		info.expireTime = time.Now().Unix() + permExpireTime
+		permCache.Store(fmt.Sprintf("%s:%s:%s", repoID, user, op), info)
 		return nil
 	}
 
-	permCache.Delete(fmt.Sprintf("%s:%s", repoID, user))
-
 	return &appError{nil, "", http.StatusForbidden}
 }